Requests for temporarily authorized operations are authenticated using the query-string parameters instead of the authorization header.

In OBS, a registered and activated user can use its account to create a URL that contains authentication information. In addition, any user that obtains the URL can perform the operation specified by the URL.

For example, during temporarily authorized Get Object request, a specific URL is created and any user obtaining this URL can get the specified object before the expired time.

GET /ObjectKey?AWSAccessKeyId=AccessKeyID&Expires=ExpiresValue&Signature=signature HTTP/ 1.1
Host: bucketname.obs.example.com

The required authentication elements are specified as query string parameters detailed in Table 1.

**Table 1** Request parameters
Parameter	Description	Remarks
AWSAccessKeyId	Indicates the AK of the permission grantor. Type: String	Mandatory
Expires	Indicates the time (expressed in seconds) when the temporarily authorized URL expires. The time must be in Coordinated Universal Time (UTC) format and later than 00:00:00 on January 1, 1970. Type: String	Mandatory
Signature	Indicates the signature generated using the SK and parameter Expires. Type: String	Mandatory

The query-string authentication differs from the authorization header authentication in the following aspects:

The signature is both Base64 and URL encoded.
Expires in StringToSign corresponds to Date in authorization information.

StringToSign = HTTP-Verb + "\n" + Content-MD5 + "\n" + Content-Type + "\n" + Expire + "\n" + CanonicalizedOBSHeaders + CanonicalizedResource.

 Signature = URL-Encode(Base64( HMAC-SHA1( UTF-8-Encoding-Of(YourSecretAccessKeyID, StringToSign ) ) )).

V2 Temporarily Authorized Request